Novel Phishing Attack Exploits Microsoft Word File Delivery Feature

A new phishing campaign has been identified, leveraging Microsoft's Word file delivery system to distribute corrupted Word documents via email attachments. These files exploit a clever technique to bypass security tools, as they are classified as damaged but can still be recovered by the Word application.

How the Attack Works

Threat actors are continually innovating ways to bypass email security defenses, and this operation is no exception. The attackers use deliberately corrupted Word documents with enticing subject lines related to salary, payroll, and HR topics, making them appear relevant to employees.

Upon opening the attachment, Microsoft Word flags the file as corrupted and prompts the recipient to recover the document. Once recovered, the document contains instructions urging the victim to scan a QR code to access additional information. However, scanning the QR code redirects the user to a phishing website posing as a Microsoft login page, designed to steal login credentials.

Why the Campaign Is Effective

The phishing campaign’s success lies in its unique approach:

• Bypassing Detection:
  Since the Word files are corrupted, many security tools fail to identify them as malicious. They contain no harmful code, only a QR code, which avoids triggering typical antivirus or email security protocols.

• Compelling Topics:
  By focusing on subjects like bonuses, benefits, or payroll, the attackers significantly increase the likelihood of employees engaging with the email and opening the attachment.

Mitigation and Prevention

Although this campaign employs a novel tactic, users can protect themselves by following standard phishing prevention practices:

• Be cautious of unexpected emails, especially those with enticing subject lines like "bonuses" or "HR updates," particularly from unknown senders.
• Avoid opening suspicious email attachments, even if they seem relevant to work.
• Always verify emails related to payroll or benefits with the sender or a network administrator.
• Never scan QR codes from unknown or unsolicited sources.

Conclusion

This phishing campaign demonstrates how attackers are evolving their tactics to exploit weaknesses in security protocols. While the use of corrupted Word documents is innovative, adhering to basic cybersecurity principles—such as verifying suspicious emails and avoiding unsolicited links—can significantly reduce the risk of falling victim to such attacks. Staying vigilant remains the best defense against phishing attempts.